An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

FTC Cracks Down on Webcam Company for Lack of Security

In its first move to address privacy concerns raised by the interconnectivity of multiple devices commonly referenced as the “Internet of Things,” the Federal Trade Commission last week entered an agreement with TrendNet, resolving allegations that the company failed to adequately protect its customers’ private video feeds.

TrendNet, a retailer of Internet and other mobile devices, manufactures IP cameras that permit customers to monitor their homes or businesses remotely, via live video and audio feeds. The live feeds are transmitted via Internet and can be accessed by the customer via computer or mobile device.

Though TrendNet advertised its customers SecurView cameras as secure, the Commission alleges the company’s representations were misleading. According to the Commission’s complaint, from January 2010, the company — whose motto is “Networks People Trust” — transmitted unencrypted user login credentials over the Internet and failed to implement reasonable security measures to prevent unauthorized access to live feeds. The Commission also alleges TrendNet failed to take reasonable steps to ensure that its customers’ security settings would be honored.

In January 2012, a hacker publicly exposed the flaw in TrendNet’s system, posting links to almost 700 customers’ live feeds. The feeds displayed footage of infants sleeping in cribs, young children playing, and private rooms in customers’ homes. TrendNet issued a software patch to resolve the problem affecting 20 of its IP camera models, but it was not an automatic upgrade.

Pursuant to its agreement with the Commission, TrendNet is immediately required to install and maintain a comprehensive security program to protect its customers’ personal information. TrendNet is also required to conduct periodic risk assessments of its security systems for the next 20 years, which will include responding to third-party security vulnerability reports.

TrendNet also must notify its customers of the flaw that allowed third parties to access their live feed information and provide instructions and live customer support on how to resolve the flaw.

As companies continue to develop interconnected products that link to the Internet, consumer privacy and security issues will become increasingly important. Some practical points for any business to consider are the following:

If your company is responsible for accessing or storing a customer’s sensitive information, take reasonable steps to ensure that information is secure.

Periodically assess your system for risks, for instance, by implementing regular vulnerability testing or by conducting a periodic review of third-party vulnerability reports.

Regularly audit your system to verify that data access restrictions are consistent with each user’s individual security settings.

To minimize risk further, periodically assess whether the consumer information being collected and retained is actually necessary to the successful operation of your business.

Related

I am an avid follower of all things political. After growing up in a politically active ultra-conservative household, working on a wide range of Republican political campaigns, and interning in the offices of several Democratic members of Congress, I evolved into a self-described "moderate" (which, to my mother, means "punk liberal"). Over the past few years, I have grown increasingly frustrated by the corruption and perverseness of the U.S. political process. I believe in a "common sense" approach to politics -- something that too many of today's politicians are lacking.